qemu/hw
Philippe Mathieu-Daudé dfba99f17f hw/sd/sdhci: Fix DMA Transfer Block Size field
The 'Transfer Block Size' field is 12-bit wide.

See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.

Two different bug reproducer available:
- https://bugs.launchpad.net/qemu/+bug/1892960
- https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1

Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200901140411.112150-3-f4bug@amsat.org>
2020-10-21 13:19:01 +02:00
..
9pfs 9pfs: suppress performance warnings on qtest runs 2020-10-19 14:25:40 +02:00
acpi hw/acpi/piix4: Rename piix4_pm_add_propeties() to piix4_pm_add_properties() 2020-10-13 13:33:45 +02:00
adc meson: convert hw/adc 2020-08-21 06:30:32 -04:00
alpha load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
arm hw/arm/nseries: Fix loading kernel image on n8x0 machines 2020-10-20 16:12:01 +01:00
audio Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
avr Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
block hw/block/nvme: Simplify timestamp sum 2020-10-13 13:33:45 +02:00
char hw/char/serial: remove duplicate .class_init in serial_mm_info 2020-10-13 13:33:46 +02:00
core MIPS patches queue 2020-10-19 10:52:57 +01:00
cpu cpu/core: Register core-id and nr-threads as class properties 2020-09-22 16:48:29 -04:00
cris load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
display vga-pci: Register "big-endian-framebuffer" as class property 2020-10-13 15:56:30 -04:00
dma Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
gpio Pull request trivial patches 20200919 2020-09-22 15:42:23 +01:00
hppa Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
hyperv qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
i2c microbit_i2c: Fix coredump when dump-vmstate 2020-10-20 16:12:00 +01:00
i386 hw/xen: Set suppress-vmdesc for Xen machines 2020-10-19 16:33:28 +01:00
ide hw/ide: restore replay support of IDE 2020-10-09 17:27:55 +01:00
input Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
intc hw/intc/bcm2836_control: Use IRQ definitions instead of magic numbers 2020-10-20 16:12:00 +01:00
ipack Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
ipmi Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
isa x86: ich9: expose "smi_negotiated_features" as a QOM property 2020-09-29 02:15:24 -04:00
lm32 hw/sd/milkymist: Do not create SD card within the SD host controller 2020-08-21 16:22:43 +02:00
m68k Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
mem hw/mem: Stubbed out NPCM7xx Memory Controller model 2020-09-14 14:24:59 +01:00
microblaze load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
mips hw/mips: Remove exit(1) in case of missing ROM 2020-10-17 13:59:40 +02:00
misc macio: don't reference serial_hd() directly within the device 2020-10-18 16:21:42 +01:00
moxie load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
net qdev: add "check if address free" callback for buses 2020-10-12 11:50:50 -04:00
nios2 load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
nubus meson: convert hw/nubus 2020-08-21 06:30:25 -04:00
nvram hw/nvram: Always register FW_CFG_DATA_GENERATOR_INTERFACE 2020-10-12 11:50:20 -04:00
openrisc meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
pci hw/pci: Fix typo in PCI hot-plug error message 2020-10-13 13:33:45 +02:00
pci-bridge Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
pci-host uninorth: use qdev gpios for PCI IRQs 2020-10-18 16:21:42 +01:00
pcmcia pxa2xx: Move QOM macros to header 2020-08-27 14:04:55 -04:00
ppc mac_oldworld: Change PCI address of macio to match real hardware 2020-10-19 08:11:21 +01:00
rdma qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
riscv load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
rtc m48t59: remove legacy m48t59_init() function 2020-10-18 16:21:42 +01:00
rx Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
s390x error: Use error_fatal to simplify obvious fatal errors (again) 2020-10-09 08:36:23 +02:00
scsi scsi/scsi_bus: fix races in REPORT LUNS 2020-10-12 11:50:51 -04:00
sd hw/sd/sdhci: Fix DMA Transfer Block Size field 2020-10-21 13:19:01 +02:00
semihosting meson: convert hw/semihosting 2020-08-21 06:30:25 -04:00
sh4 Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
smbios hw/smbios: report error if table size is too large 2020-09-29 02:15:24 -04:00
sparc sun4m: use qdev properties instead of legacy m48t59_init() function 2020-10-18 16:21:42 +01:00
sparc64 sun4u: use qdev properties instead of legacy m48t59_init() function 2020-10-18 16:21:42 +01:00
ssi hw/ssi/npcm7xx_fiu: Fix handling of unsigned integer 2020-10-08 15:24:32 +01:00
timer hw/timer/bcm2835: Support the timer COMPARE registers 2020-10-20 16:12:00 +01:00
tpm Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
tricore meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
unicore32 meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
usb hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() 2020-10-19 09:17:21 +02:00
vfio vfio-ccw: plug memory leak while getting region info 2020-10-02 13:52:49 +02:00
virtio Error reporting patches for 2020-10-09 2020-10-09 14:47:45 +01:00
watchdog Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
xen xen-bus: reduce scope of backend watch 2020-10-19 16:32:41 +01:00
xenpv meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
xtensa load_elf: Remove unused address variables from callers 2020-09-25 16:52:08 -07:00
Kconfig hw/avr: Add limited support for some Arduino boards 2020-07-11 11:02:05 +02:00
meson.build meson: convert hw/arch* 2020-08-21 06:30:33 -04:00